Company Policy for the Protection of Personal Data to Protect the Fundamental Rights and Freedoms of Natural Persons Consulted on This Website Pursuant to Article 13 of Regulation (EU) 2016/679..
- SCOPE OF APPLICATION
- INFORMATION SECURITY POLICY
- RESPONSIBILITIES OF THE INFORMATION SECURITY POLICY
The purpose of this document is to describe the general principles of security and confidentiality of information and personal data defined by the Data Controller and ensure that all parties involved in the processing of data are provided with an efficient and secure management system of procedures and processes for the security of personal data in compliance with the European Regulation 2016/679, henceforth GDPR
bluAlghero-Sardinia intends to pursue objectives of security of information, personal data, the technological, physical, logical and organisational structure and their management. This means achieving and maintaining a secure information management system through compliance with the principles set out in Articles 5 and 6 of the GDPR;;
- Lawfulness, fairness, transparency;
- Guaranteed with respect to the management and collection of data for contractual, specified, explicit and legitimate purposes only, and subsequently processed in a way that is not incompatible with those purposes.
- Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (principle of “data minimisation”);
- Accurate and, where necessary, kept up to date; all reasonable steps must be taken to delete or rectify in a timely manner data that are inaccurate in relation to the purposes for which they are processed (“accuracy”);
- Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which they are processed; and
- Processed in such a way as to ensure appropriate security of personal data, including protection, by appropriate technical and organisational measures, against unauthorised or unlawful processing and accidental loss, destruction or damage ‘principle of integrity and confidentiality
- Safeguarding the consistency of information from unauthorised modification
- Ensure the reliability of information source channels;
- Ensure the protection and control of personal data.
3. SCOPE OF APPLICATION
The data protection policy applies to all processes and resources involved in the design, implementation, commissioning and ongoing delivery of services.
The following describes the products and services provided and explains how they are delivered.
Products and services provided:
Web platform for promoting the territory and offering tourist booking and assistance services to tourists. Marketing campaigns through affiliate programmes. Advertisements for accommodation facilities and companies.
4. INFORMATION SECURITY POLICY
- The verification of the data that will be processed with identification of the various types of data and the categories to which they belong. The verification of the purpose of each processing operation and the legal basis on which each of them is based, also in order to provide adequate information to the data subjects, as required by Articles 13 and 14 of the GDPR;
- The preparation of the notice(s) (or its updating) that must be provided to the data subjects in compliance with all the elements indicated in Articles 13 and 14 of the GDPR. In particular, data subjects must be made aware of the rights that the Regulation grants them (right of access, right to be forgotten, right to rectification, right to restriction and opposition to processing, right to data portability); the information for data subjects must be provided by the client if the software or services used provide for the collection of data;
- The establishment of a procedure to be adopted in the event of any data breaches (the so-called Data Breach referred to in Articles 33 and 34 of the GDPR), e.g. upon the occurrence of a disclosure (whether intentional or unintentional), destruction, loss, modification or unauthorised access to the personal data being processed. In fact, the GDPR provides for specific requirements in the event that such a breach occurs, due to a cyber attack, unauthorised access or an accident. In these cases, the GDPR imposes, as set out in Article 33, an obligation on the data controller to notify the supervisory authority of the breach within 72 hours (or in any case without delay). If the breach that has occurred also gives rise to the presumption of a high and present danger to the rights and freedoms of the data subjects, the latter must also be directly informed without delay of what has happened;
- In Article 35 of the GDPR, there is an obligation on the data controller (and with the possibility of consulting the Data Protection Officer if one is appointed) to carry out a data protection impact assessment in the event that a type of processing, also taking into account the nature, subject-matter, context and purposes of the processing, presents a high risk to the rights and freedoms of natural persons. It should be noted that the GDPR does not lay down an actual obligation to carry out an impact assessment, but it should be recalled that the Regulation lays down a general obligation for the data controller to implement appropriate measures to adequately manage the risks to the rights and freedoms of data subjects that may arise from the processing of their data. It will therefore be appropriate to carry out an impact assessment even when the data controller is not under a legal obligation to do so.
- Articles 37 – 38 and 39 introduce another requirement for the data controller, which consists in the appointment of a Data Protection Officer. This appointment, as provided for in Art. 37 of the GDPR, is mandatory only in a number of cases, in particular, where the data processing is carried out by a public authority or a public body (with the exception of judicial authorities when exercising their functions) where the main activities carried out by the controller or processor consist of operations which, by virtue of their nature, their scope or their purposes, require regular and systematic monitoring of data subjects on a large scale; and finally, where the main activities carried out consist of the processing, on a large scale, of sensitive data or data relating to criminal convictions and offences involving the unlawful processing of personal data. As also suggested by the Working Party of 29, the advisory and independent body composed of a representative of the data protection authorities designated by each Member State that drew up the Guidelines laying down rules on the appointment of the DPO, when the Regulation does not specifically require the appointment of a DPO, this figure may still be appointed by the data controller or processor on a voluntary basis.
5. RESPONSIBILITY FOR INFORMATION SECURITY POLICY
The ‘data controller’ and ‘controller’ are responsible for the secure information management system, consistent with the evolution of the business and market environment, evaluating possible actions to be taken in the face of events such as:
- Significant business developments;
- New threats compared to those considered in the risk analysis activity;
- Significant security incidents;
- Changes in the regulatory or legislative environment regarding the secure handling of information.
Consent to the Processing of Personal Data
By submitting the request form, the user consents to the processing of personal data by BluAlghero-Sardinia.com, in accordance with Law 196/2003 and its subsequent amendments and EU Regulation 679/2016 and declares to have read the information on the processing of personal data.
Personal data are collected only if you decide to provide them, for example, to proceed with a booking or for other services.
Your data is only processed internally.
Any personal information you provide when using this website will be used in accordance with the data protection act.
Data protection declaration
We will never provide your personal information to any company outside BluAlghero-Sardinia.com. However, we may send you information about our services, including exclusive offers, promotions and special events. You can revoke your consent at any time for future
Links to other websites
This website includes links to other websites. We are not responsible for the information, material, products or services contained and accessible on third-party sites.
External sites may have different security methods and privacy policies than those described above over which we have no control.
CHARACTERISTICS ON THE USE OF PERSONAL DATA
Personal data, or personal information, is information about any individual from which we can infer his or her identity.
We collect a range of information relating to users who visit the blualghero-sardinia website. This personal information falls into the categories set out below.
Personal data: any information relating to an identified or identifiable natural person.
Identifying data: includes title, first name, surname, user name or other identifying data. If you communicate with us via email forms or social media, this category of data also includes the user name used on the social media used.
Contact data: includes billing address, shipping address, email address and telephone number.
Financial data: this includes information about the type of payment used.
Transaction Data: This includes information about payments made by and to the user and additional information about products and services purchased.
Technical data: this includes your internet protocol (IP) address, your login details, browser type and version, time zone and location, browser plug-ins and their versions, operating system, platform and any other technology that operates on the devices you use to access the site.
Usage data: this includes information about your use of our site and our products and services.
Tracking Data: includes information about you that we, or third parties, collect from cookies and tracking technologies and mobile device identification data.
Market and business data: this includes preferences regarding receipt of direct marketing communications from us and from third parties and any preferences related to communications.
We also collect, use and share Aggregate Data such as statistical and demographic data for any purpose. Aggregate Data may be derived from your Personal Data, although it is not considered Personal Data under the law because it does not reveal your identity, either directly or indirectly. For example, we may aggregate Usage Data to calculate the percentage of users accessing a specific Site feature. In order to offer better content and services, the blualghero-sardinia website uses Google analytics 4.
We do not collect Sensitive Data relating to you (this includes data revealing racial or ethnic origin, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, health information as well as genetic and biometric data). Furthermore, we do not collect judicial data relating to the user.
Cookies are small pieces of data that are stored and used to improve your experience of using a website.
For example, they may temporarily remember your browsing preferences so that you don’t have to select your language each time, making subsequent visits more convenient and intuitive.
Or they can be used to do ‘anonymous surveys’ on how users navigate through the site, so that it can be improved from real data.
Cookies are not viruses or programs
Cookies are not viruses or programs. Cookies are merely data saved in text form in the form “variable=value” (e.g.: “siteAccessDate=2014-01-20,14:23:15R43;). This data can only be read by the site that generated it, and in many cases has an expiry date, after which the browser will automatically delete it.
Not all cookies are used for the same purpose: the different types of cookies used by this website are specified below.
These cookies are essential in order to enable you to move around the site and make full use of its features. Without these cookies some services will not function properly.
These cookies collect information about how users use a website, but do not store information that identifies a visitor. These cookies are only used to improve the functioning of the website.
By using the site you agree that such cookies may be stored on your device.
These cookies allow the site to remember choices you make (such as language or other special settings that may be available) and provide enhanced personalised functionality, and may also be used to deliver the services you have requested. By using the site you agree that such cookies may be stored on your device.
How to manage cookies on your PC
Each browser allows you to customise the way cookies are handled. Please consult the documentation of the browser you are using for more information.
Some browsers allow ‘anonymous browsing’ on websites, accepting cookies and then automatically deleting them at the end of the browsing session. For more information about ‘anonymous browsing’, please consult the documentation of the browser used.
You can prevent Google from collecting a cookie generated by and linked to your use of this website (including your IP address) and processing this data by downloading and installing this browser plug-in: http://tools.google.com/dlpage/gaoptout?hl=en
WHAT KIND OF COOKIES DOES THIS WEBSITE USE?
- Technical cookies
These cookies are used to improve navigation and optimise the functioning of the website. They store service configurations so that you do not have to reconfigure them each time you visit this website.
- Analysis cookies
These are those which, processed by us or by third parties, allow us to quantify the number of users and thus perform statistical measurement and analysis of their use of the service offered. Consequently, your navigation on our website is analysed with the aim of improving the products or services we offer you.
- Third-party marketing/retargeting cookies
It allows us, after you have visited blualghero-sardinia, to show you advertising banners with the best offers in the locations you have previously searched for.
HOW TO MANAGE COOKIES ON YOUR BROWSER
You can allow, block or delete cookies installed on your device by configuring the options of the browser installed on your computer.
ACCEPTANCE OF COOKIES
HOW TO DISABLE/ENABLE COOKIES?
You can disable/enable cookies from your device through your internet browser. We have explained how you can manage cookies on your computer through some of the main internet browsers listed below. For information on how to manage cookies on your tablet and/or mobile phone please consult your documentation or online help files.
- In the settings menu, select “Show advanced settings” at the bottom of the page
- Select the ‘settings content’ button in the privacy section
The section at the top of the page that appears next explains cookies and allows you to select the cookies you want. It also allows you to delete any cookies currently stored.
- In the tools menu, select “Options
- Select the “Privacy” button in the “Options” folder
- From the drop-down menu, choose “History Settings”. This will show you the options for cookies and you can choose to enable or disable them by clicking on the box.
- In the menu bar, select “Internet Options”
- Click on the “Privacy” button
- You will see a privacy settings slider that has six settings that allow you to control the number of cookies that will be placed: Block All Cookies, High, Medium High, Medium (default level), Low, and Accept All Cookies.
- In the Settings menu, select the ‘Preferences’ option
- Open the Privacy section
- Select the option you want from the “Block cookies” section
All other browsers
For information on how to manage cookies through other browsers, please consult your documentation or online help files.
How to disable/enable third-party cookies?
Third party cookies are not placed by us. We would therefore suggest that you visit the website of these third parties for information about the cookies they place and how to manage them.
For more information on cookies and their general functions, please visit an informative website such as www.allaboutcookies.org.
Third Party Tracking Tools
Traffic optimisation and distribution
Cloudflare (Cloudflare Inc.)
Displaying content from external platforms
Google Maps Widget (Google Inc.)
YouTube Video Widget (Google Ireland Limited)
Google Tag Manager
Google Analytics 4
Displaying content from external platforms
Personal Data: Usage Data; Tracking Tools
Access to accounts on social websites
Permissions: Email; Device information; Tracking Tool
Interaction with social networks and external platforms
Like button and social widgets of Facebook and Istangram(Facebook, Instagram.)
Affiliation with external websites for commercial purposes (Booking history; Usage data; Tracking tools):
Permissions: Email; Device Information; Tracking Tool
Contacting and sending messages via form
Integration of Form Contact7
Personal data. name, email
Personal Data: Usage Data; Tracking Tool
Google Maps widget
Personal data collected: Cookies and Usage data.
Youtube Video Widget
Personal data collected: Cookies and Usage data.
Google reCAPTCHA (Google LLC)
The different methods of collecting data from you and the user that we use are listed below.
Direct interaction. The user decides to provide us with identification, contact and financial data by filling in a form or by communicating this data by post, telephone, e-mail or via chat or social media.
This includes personal data communicated by users when they
- subscribes to the newsletter
- submits requests for information;
- creates an account on our site;
- orders our services;
- contact us on social media;
- post a comment or review about our products or services
When you interact with us, including through the blualghero-sardinia site, we may collect Technical Data about your devices and browsing actions and patterns. We may also collect Tracking Data when you consult our site or when you click on one of our advertisements (including those posted on third party sites).
Third Party Parties or Public Domain Sources. We may receive Personal Data about you from various categories of third parties, including:
- technical and/or tracking data from analytics service providers, advertising networks and research service providers;
- contact, financial and transaction data from payment service providers and fraud prevention services;
- identification and contact data from partners with whom we share data; and
- data from any third party who has been authorised by regulation or by you to share that user’s personal data with us, for example through social media or review sites.
Use of your personal data
We use personal data within the limits provided by law. In general we use personal data in the following circumstances.
If we have to perform a contract that is being concluded or has already been concluded with you. For example, a contract consisting of the purchase of a service by the user.
If it is necessary to pursue our legitimate interests (or those of third parties) as long as the interests and fundamental rights of the user do not prevail over them. For example, during anti-fraud checks during the payment procedure.
If we have to comply with obligations imposed by laws or regulations. For example, for the storage of sales documentation for tax reasons.
In general, the legal basis on which we process your personal data does not include your consent unless expressly required by law, e.g. for sending certain direct marketing communications. Where the legal basis is based on consent, you have the right to withdraw your consent at any time.
For further information please compare the legal basis on which we base our processing of personal data with the legal basis on which we process personal data.
Advertising, Marketing And User Preferences In Communications
We may use Identifying, Contact, Technical, Tracking, Usage and Profiling Data to give us an idea of what you might want or need, or what might interest you. It is in this way that we decide which products, services and offers are relevant to the user and, accordingly, provide the user with the relevant communications. This is known as direct marketing.
We may use direct marketing strategies via e-mail. For example, the user may either receive an email via his or her mailbox
You can change your mind at any time and decide to unsubscribe. The easiest way to unsubscribe is via the unsubscribe link at the bottom of our communications.
We use Tracking Data to provide you with relevant online advertisements, including via websites and social media.
Tracking Data, and in particular cookies, help us deliver advertisements on sites and social media that we believe are most relevant to you. The cookies used for this purpose are often installed on our site by specialist companies.
Cookies also alert us to whether you have viewed a particular advertisement, as well as how long it has been since you last viewed it. Cookies also help us to understand whether you have opened one of our commercial e-mails, so that we can avoid sending you content that is trashed.
For more information on Tracking Data, particularly cookies, please see the Cookies section below.
Virtually all advertising-related cookies come from the online advertising networks of third parties. For more information on how to decide which advertisements to display online, compare the Unsubscribe section below.
Disclosure of Personal Data
We share data with third parties who are in the advertising, retargeting and analytics business. For more information about these third parties, please see the Cookie section above, including the list of cookies.
blualghero-sardinia uses the external payment processing company PayPal to process payments made for the purchase of our products and services through the Site. All online payments will be made in accordance with data security standards and the user’s billing information (used exclusively by the payment processing companies for fraud prevention) is encrypted before being communicated. The user’s credit card details are communicated directly from the browser to the payment processing companies: blualgher-sardinia does not have access to the user’s Permanent Account Number (PAN). This means that the payment form is located outside the site or is displayed in a frame on the payment page.
For PayPal, we only store the tokens required to identify the transaction with PayPal itself, issue a refund, and identify transactions made through PayPal.
We have security measures in place to prevent the accidental loss of your personal data, as well as its use or access by unauthorised parties, as well as its alteration or disclosure.
Third Party Links
We will only retain your personal data for as long as is necessary to fulfill the purposes for which the data was collected, including purposes related to fulfilling any legal, accounting or reporting obligations.
In certain circumstances, you may ask us to delete data about you; please see the section on your statutory rights below for more information.
Rights guaranteed by law
If you reside in a European Union country, you are entitled to the following rights guaranteed by the law of privacy protection with regard to your personal data.
- Right of access – the right to submit a ‘data subject access request’ to obtain a copy of the personal data of the data subject stored;
- Right of rectification – the right to demand the correction of personal data if it is incomplete or incorrect;
- Right to erasure – also known as the ‘right to be forgotten’ when, in certain circumstances, a data subject may request that personal data concerning him or her be erased (provided that there is no rule requiring that personal data be retained and that the request is overridden);
- Right to restriction of processing – right to request, in certain circumstances, the suspension of the processing of personal data;
- Right to portability – right to request a copy of your personal data in a commonly used format (e.g. a .csv file);
- Right to object – the right to object to the processing of your personal data (for example, if you do not consent to the processing of your data for direct marketing purposes); and
- Rights related to automated decisions and profiling – the right to demand transparency for any profiling we perform, or for any decision made by an automated process.
- These rights are subject to certain rules that determine their exercise. For more information, you can consult the Guide to the Application of the European Data Protection Regulation.
Data controller: Lucia Pisanu – firstname.lastname@example.org